Networks are constantly exposed to security exploits that are of significant concern to network providers. For example, Denial of Service (“DoS”) attacks can cause significant damage to networks and networked devices. A DoS attack is defined as an action taken upon on a computer network or system by an offensive external device that prevents any part of the network from functioning in accordance with its intended purpose. This attack may cause a loss of service to the users of the network and its network devices. For example, the loss of network services may be achieved by flooding the system to prevent the normal servicing for performing legitimate requests. The flooding may consume all of the available bandwidth of the targeted network or it may exhaust the computational resources of the targeted system.
A Distributed Denial of Service (“DDoS”) attack is a more aggressive action that involves multiple offensive devices performing an attack on a single target computer network or system. This attack may be performed in a coordinated manner by these multiple external devices to attack a specific resource of a service provider network. The targeted resource can be any networking device such as routers, Internet servers, electronic mail servers, Domain Name System (“DNS”) servers, etc. Examples of a DDoS attack include (but are not limited to): large quantities of raw traffic designed to overwhelm a resource or infrastructure; application specific traffic designed to overwhelm a particular service; traffic formatted to disrupt a host from normal processing; traffic reflected and/or amplified through legitimate hosts; traffic originating from compromised sources or from spoofed IP addresses; and pulsed attacks (which start/stop attacks).
Other network security threats include Trojan horse attacks that may be embedded in harmless software, viruses that can reproduce themselves and attach to executable files, worms that can spread via stored collections of e-mail addresses, and logic bombs that can remain dormant until triggered by an event (e.g., a date, user action, random trigger, etc.).
One or more threat management devices can be provided to manage threat traffic associated with network attacks, such as by applying countermeasures to thwart such attacks. However, the volume of threat traffic can fluctuate. At times, threat traffic can be minimal, during which the threat management device(s) may use a small amount of processing resources to manage the threat traffic. However, when a major attack is detected that generates a large amount of threat traffic, the threat management device(s) need a large amount of processing resources to handle its tasks. The threat management device(s) have a finite capacity. When the threat management device(s)′ capacity is surpassed, the threat management device(s) can drop arbitrary traffic without analysis, such that legitimate traffic can be dropped along with attack traffic, thus allowing the attack to succeed.
Such conventional methods and systems have generally been considered satisfactory for their intended purpose. However, there is still a need in the art for scaling management of threat traffic so that processing resources are available when a large amount of processing resources are needed to manage threat traffic during major attack, but the processing resources are not tied up when a major attack is not underway and less threat traffic management is needed. The present disclosure provides a solution for these problems.